[openssh-commits] [openssh] 01/07: upstream: Fix cases in GSSAPI and keyboard-interactive

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Jul 6 19:03:46 AEST 2026


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch V_10_4
in repository openssh.

commit d43ba60c91cb323ca921049b7d43b1908c318454
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Jul 6 07:44:48 2026 +0000

    upstream: Fix cases in GSSAPI and keyboard-interactive
    
    authentication where the minimum per-attempt delay was not being enforced.
    
    Reported by Orange Cyberdefense Vulnerability Team
    
    OpenBSD-Commit-ID: c40bd35cc2428fcaccad7a141703c28baa6da01e
---
 auth.h        |  3 ++-
 auth2-chall.c |  6 +++++-
 auth2-gss.c   |  9 ++++++++-
 auth2.c       | 12 +++++++++---
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/auth.h b/auth.h
index 634a84aa8..0f11458ca 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.109 2026/02/06 01:24:36 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.110 2026/07/06 07:44:48 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -175,6 +175,7 @@ void	auth_log(struct ssh *, int, int, const char *, const char *);
 void	auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
 void	userauth_finish(struct ssh *, int, const char *, const char *);
 int	auth_root_allowed(struct ssh *, const char *);
+void	auth_failure_delay(Authctxt *, double);
 
 char	*auth2_read_banner(void);
 int	 auth2_methods_valid(const char *, int);
diff --git a/auth2-chall.c b/auth2-chall.c
index f3889079b..8a23ca2dc 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.60 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.61 2026/07/06 07:44:48 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -300,6 +300,7 @@ input_userauth_info_response(int type, uint32_t seq, struct ssh *ssh)
 	u_int i, nresp;
 	const char *devicename = NULL;
 	char **response = NULL;
+	double tstart = monotime_double();
 
 	if (authctxt == NULL)
 		fatal_f("no authctxt");
@@ -358,6 +359,9 @@ input_userauth_info_response(int type, uint32_t seq, struct ssh *ssh)
 			auth2_challenge_start(ssh);
 		}
 	}
+
+	if (!authenticated)
+		auth_failure_delay(authctxt, tstart);
 	userauth_finish(ssh, authenticated, "keyboard-interactive",
 	    devicename);
 	return 0;
diff --git a/auth2-gss.c b/auth2-gss.c
index 053548527..355926afc 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.39 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.40 2026/07/06 07:44:48 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -255,6 +255,7 @@ input_gssapi_exchange_complete(int type, uint32_t plen, struct ssh *ssh)
 {
 	Authctxt *authctxt = ssh->authctxt;
 	int r, authenticated;
+	double tstart = monotime_double();
 
 	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
@@ -268,6 +269,8 @@ input_gssapi_exchange_complete(int type, uint32_t plen, struct ssh *ssh)
 		fatal_fr(r, "parse packet");
 
 	authenticated = mm_ssh_gssapi_userok(authctxt->user);
+	if (!authenticated)
+		auth_failure_delay(authctxt, tstart);
 
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -288,6 +291,7 @@ input_gssapi_mic(int type, uint32_t plen, struct ssh *ssh)
 	gss_buffer_desc mic, gssbuf;
 	u_char *p;
 	size_t len;
+	double tstart = monotime_double();
 
 	if (authctxt == NULL)
 		fatal("No authentication or GSSAPI context");
@@ -315,6 +319,9 @@ input_gssapi_mic(int type, uint32_t plen, struct ssh *ssh)
 	sshbuf_free(b);
 	free(mic.value);
 
+	if (!authenticated)
+		auth_failure_delay(authctxt, tstart);
+
 	authctxt->postponed = 0;
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
 	ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
diff --git a/auth2.c b/auth2.c
index 3a1682746..3f353a719 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.173 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2.c,v 1.174 2026/07/06 07:44:48 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -265,6 +265,12 @@ ensure_minimum_time_since(double start, double seconds)
 	nanosleep(&ts, NULL);
 }
 
+void
+auth_failure_delay(Authctxt *authctxt, double tstart)
+{
+	ensure_minimum_time_since(tstart, user_specific_delay(authctxt->user));
+}
+
 static int
 input_userauth_request(int type, uint32_t seq, struct ssh *ssh)
 {
@@ -346,8 +352,8 @@ input_userauth_request(int type, uint32_t seq, struct ssh *ssh)
 		authenticated =	m->userauth(ssh, method);
 	}
 	if (!authctxt->authenticated && strcmp(method, "none") != 0)
-		ensure_minimum_time_since(tstart,
-		    user_specific_delay(authctxt->user));
+		auth_failure_delay(authctxt, tstart);
+
 	userauth_finish(ssh, authenticated, method, NULL);
 	r = 0;
  out:

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list